Comments on: Stop Thinking Hacker, Start Thinking Insider http://www.securitycatalyst.com/blog/2006/12/stop-thinking-hacker-start-thinking-insider/ changing the way people protect information Thu, 04 Dec 2008 02:36:42 +0000 http://wordpress.org/?v=2.6.3 By: Security Catalyst » Blog Archive » Breach vs. Incident: Semantics or Something More? http://www.securitycatalyst.com/blog/2006/12/stop-thinking-hacker-start-thinking-insider/#comment-1854 Security Catalyst » Blog Archive » Breach vs. Incident: Semantics or Something More? Wed, 11 Jul 2007 07:23:35 +0000 http://www.securitycatalyst.com/?p=218#comment-1854 [...] are, at the very least, just as dangerous as “breaches” by external attackers. I have written a few times about the insider threat faced by organizations. Studies have continued to prove that [...] [...] are, at the very least, just as dangerous as “breaches” by external attackers. I have written a few times about the insider threat faced by organizations. Studies have continued to prove that [...]

]]> By: AdamDodge http://www.securitycatalyst.com/blog/2006/12/stop-thinking-hacker-start-thinking-insider/#comment-1351 AdamDodge Wed, 20 Dec 2006 01:20:42 +0000 http://www.securitycatalyst.com/?p=218#comment-1351 Rob, You pose several questions here, so let me see if I can take them one at a time. I see that you have posted very <a href="http://techbuddha.wordpress.com/2006/10/25/nba-for-network-wide-visibility/" rel="nofollow">similar</a> <a href="http://taosecurity.blogspot.com/2006/11/real-insider-threats.html" rel="nofollow">comments</a> on other blogs, so I will attempt to offer different answers as to not simply repeat what others have said to you. One of the serious problems, in my opinion, with a whitelist, "deny-by-default", environment is that while it does a good job of stopping unwanted activity before it starts, it does a bad job of identifying unwanted activity if it occurs. This is based on the fundamental concept that only authorized, or whitelisted, activity is allowed to occur. Therefore, any activity occurring must be authorized. Of course, this is not always the case. I am not saying that whitelists do not have their part in security, but there must be additional controls to identify unwanted activity. You mention the implementation of a multilevel security on trusted operating systems (MLS/TOS) and ask the value of such an implementation. I have to respond that this value is most likely very poor for most organizations. Most organizations today do not require this level of security and therefore are not willing to pay for it. In addition, the severe restrictions such controls place on information can be contrary to an organization’s business environment. For example, I work in education and the ability to easily share information is at the foundation of what it is the organization does. (Side Note: This is also why security in education is often a very difficult sell.) The idea of implementing technical controls to overcome human error will most likely bankrupt many businesses. Ever increasing complexity always requires an ever-increasing cost in terms of time, money and resources. There is also the chance that some key control will be over looked, thus rendering all of the other controls worthless. An example of this I like to use is this: A 20 million dollar computer/network/information security system can be defeted with a 35 cent phone call if you don't train your users to not give out information or their passwords over the phone. Adam Rob,

You pose several questions here, so let me see if I can take them one at a time. I see that you have posted very similar comments on other blogs, so I will attempt to offer different answers as to not simply repeat what others have said to you.

One of the serious problems, in my opinion, with a whitelist, “deny-by-default”, environment is that while it does a good job of stopping unwanted activity before it starts, it does a bad job of identifying unwanted activity if it occurs. This is based on the fundamental concept that only authorized, or whitelisted, activity is allowed to occur. Therefore, any activity occurring must be authorized. Of course, this is not always the case. I am not saying that whitelists do not have their part in security, but there must be additional controls to identify unwanted activity.

You mention the implementation of a multilevel security on trusted operating systems (MLS/TOS) and ask the value of such an implementation. I have to respond that this value is most likely very poor for most organizations. Most organizations today do not require this level of security and therefore are not willing to pay for it. In addition, the severe restrictions such controls place on information can be contrary to an organization’s business environment. For example, I work in education and the ability to easily share information is at the foundation of what it is the organization does. (Side Note: This is also why security in education is often a very difficult sell.)

The idea of implementing technical controls to overcome human error will most likely bankrupt many businesses. Ever increasing complexity always requires an ever-increasing cost in terms of time, money and resources. There is also the chance that some key control will be over looked, thus rendering all of the other controls worthless. An example of this I like to use is this: A 20 million dollar computer/network/information security system can be defeted with a 35 cent phone call if you don’t train your users to not give out information or their passwords over the phone.

Adam

]]> By: Rob http://www.securitycatalyst.com/blog/2006/12/stop-thinking-hacker-start-thinking-insider/#comment-1352 Rob Mon, 18 Dec 2006 22:39:54 +0000 http://www.securitycatalyst.com/?p=218#comment-1352 So what would be the value and net effect of a security model that worked post-authentication inside the network to deliver user-centric security in a MLS/TOS, deny-by-default environment? You would have protection against inside attackers, and unauthorized external access attempts would just fall off the system as non-events, correct? I liked that you included user error. Such solutions must also protect users "form themselves". So what would be the value and net effect of a security model that worked post-authentication inside the network to deliver user-centric security in a MLS/TOS, deny-by-default environment? You would have protection against inside attackers, and unauthorized external access attempts would just fall off the system as non-events, correct?

I liked that you included user error. Such solutions must also protect users “form themselves”.

]]>